Test and Development Zone A Security Technical Implementation Guide

The Test & Development Zone A STIG is published as a tool to improve the security of Department of Defense (DoD) information systems. Comments or proposed revisions to this document should be sent via e-mail to the following address: [email protected]

Details

Version / Release: V1R5

Published: 2018-09-17

Updated At: 2018-11-03 10:27:50

Compare/View Releases

Select any two versions of this STIG to compare the individual requirements

Select any old version/release of this STIG to view the previous requirements

Actions

Download

Filter


Findings
Severity Open Not Reviewed Not Applicable Not a Finding
Overall 0 0 0 0
Low 0 0 0 0
Medium 0 0 0 0
High 0 0 0 0
Drop CKL or SCAP (XCCDF) results here.

    Vuln Rule Version CCI Severity Title Description Status Finding Details Comments
    SV-51202r1_rule ENTD0010 MEDIUM Network infrastructure and systems supporting the test and development environment must be documented within the organizations accreditation package. Up-to-date documentation is essential in assisting with the management, auditing, and security of the network infrastructure used to support the test and development environment. Network diagrams are important because they show the overall layout where d
    SV-51203r1_rule ENTD0020 MEDIUM Network infrastructure and systems supporting the test and development environment must follow DoD certification and accreditation procedures before connecting to a DoD operational network or Internet Service Provider. Prior to connecting to a live operational network, such as the DISN, systems, at minimum, receive an IATO. A system without an IATO does not show adequate effort to meet IA controls and security requirements and may pose a risk to other computers or syst
    SV-51291r1_rule ENTD0030 MEDIUM Network infrastructure and systems supporting the test and development environment must be registered in a DoD asset management system. An asset management system is used to send out notifications on vulnerabilities in commercial and military information infrastructures as they are discovered. If the organization's assets are not registered with an asset management system, administrators
    SV-51292r1_rule ENTD0040 MEDIUM Network infrastructure and systems supporting the test and development environment must be managed from a management network. It is important to restrict administrative access to the supporting network infrastructure and systems in the test and development environment, as it reduces the risk of data theft or interception from an attacker on the operational network.ECSC-1
    SV-51293r1_rule ENTD0050 MEDIUM The organization must document impersistent connections to the test and development environment with approval by the organizations Authorizing Official. An impersistent connection is any temporary connection needed to another test and development environment or DoD operational network where testing is not feasible. As any unvetted connection or device will create additional risk and compromise the entire
    SV-51294r1_rule ENTD0060 MEDIUM Application development must not occur on DoD operational network segments. To reduce the risk of compromise of DoD operational networks and data, application and system development needs to be limited to systems within a network segment designated for development only.ECSC-1
    SV-51295r1_rule ENTD0070 HIGH Development systems must have antivirus installed and enabled with up-to-date signatures. Virus scan programs are a primary line of defense against the introduction of viruses and malicious code that can destroy data and even render a computer inoperable. Utilizing the most current virus scan program provides the ability to detect this malici
    SV-51296r1_rule ENTD0080 MEDIUM Development systems must have HIDS or HIPS installed and configured with up-to-date signatures. A HIDS or HIPS application is a secondary line of defense behind the antivirus. The application will monitor all ports and the dynamic state of a development system. If the application detects irregularities on the system, it will block incoming traffic
    SV-51297r1_rule ENTD0090 MEDIUM Development systems must have a firewall installed, configured, and enabled. A firewall provides a line of defense against malicious attacks. To be effective, it must be enabled and properly configured.ECSC-1
    SV-51298r1_rule ENTD0100 MEDIUM Development systems must be part of a patch management solution. Major software vendors release security patches and hotfixes to their products when security vulnerabilities are discovered. It is essential that these updates be applied in a timely manner to prevent unauthorized individuals from exploiting identified v
    SV-51299r1_rule ENTD0110 MEDIUM A change management policy must be implemented for application development. Change management is the formal review process that ensures that all changes made to a system or application receives formal review and approval. Change management reduces impacts from proposed changes that could possibly have interruptions to the servic
    SV-51469r1_rule ENTD0120 MEDIUM The organization must document and gain approval from the Change Control Authority prior to migrating data to DoD operational networks. Without the approval of the Change Control Authority, data moved from the test and development network into an operational network could pose a risk of containing malicious code or cause other unintended consequences to live operational data. Data moving
    SV-51472r1_rule ENTD0130 MEDIUM Application code must go through a code review prior to deployment into DoD operational networks. Prior to release of the application receiving an IATO for deployment into a DoD operational network, the application will have a thorough code review. Along with the proper testing, the code review will specify flaws causing security, compatibility, or r
    SV-51477r1_rule ENTD0140 MEDIUM Access to source code during application development must be restricted to authorized users. Restricting access to source code and the application to authorized users will limit the risk of source code theft or other potential compromise.ECAN-1, ECCD-1, ECLP-1
    SV-51479r2_rule ENTD0150 MEDIUM The organization must sanitize data transferred to test and development environments from DoD operational networks for testing to remove personal and sensitive information exempt from the Freedom of Information Act. If DoD production data is transferred to a test and development environment and personal or sensitive information has not been sanitized from the data, personal or sensitive information could be exposed or compromised.
    SV-51485r1_rule ENTD0160 MEDIUM The test and development infrastructure must use a gateway to separate access to DoD operational networks. Acting as the first hop into a test and development environment, the gateway can implement proper routing and provide a first layer of defense against attacks and other unintentional compromise or spillage of sensitive information into the operational net
    SV-51487r1_rule ENTD0170 MEDIUM Ports, protocols, and services visible to DoD operational networks or ISPs must follow DoDI 8551.1 policy. In accordance with the DoD 8551.1 policy, the test and development environment may require external access to live operational data to perform final stage testing. All network connections for the test and development environment must make use of the PPS
    SV-51494r1_rule ENTD0180 HIGH The test and development infrastructure must use a firewall for traffic inspection to and from DoD operational networks. A firewall is necessary to inspect traffic as it flows into and out of the test and development environment. Without a firewall present, traffic could flow freely between the operational network and test and development environment, allowing malicious or
    SV-51529r1_rule ENTD0230 LOW Access control lists between development and testing network segments within a test and development environment must be in a deny-by-default posture. To prevent malicious or accidental leakage of information between test and development environments, organizations must implement a deny-by-default security posture. All traffic not explicitly permitted must be denied. Such rule sets prevent many malici
    SV-51530r1_rule ENTD0240 HIGH Access control lists between the test and development environment and DoD operational networks must be in a deny-by-default posture. To prevent malicious or accidental leakage of traffic between test and development environments and operational networks, organizations must implement a deny-by-default security posture. Perimeter routers, boundary controllers, or firewalls must deny inc
    SV-51531r1_rule ENTD0250 MEDIUM Access control lists between the test and development environments must be in a deny-by-default posture. To prevent malicious or accidental leakage of traffic, organizations must implement a deny-by-default security posture between test and development environments. All ingress and egress traffic not explicitly permitted between test and development environ
    SV-51534r1_rule ENTD0280 MEDIUM Remote access into the test and development environment must use an encryption mechanism approved for the classification level of the network. Remote access to the environment using unapproved encryption mechanism is inherently dangerous because anyone with a packet sniffer and access to the network can acquire the device's account and password information. With this intercepted information, a
    SV-51536r1_rule ENTD0300 MEDIUM Remote access VPNs must prohibit the use of split tunneling on VPN connections. The VPN software on a host can be configured in either of two modes. It can be set to encrypt all IP traffic originating from that host, and send all of that traffic to the remote IP address of the network gateway. This configuration is called “tunnel-a
    SV-51538r1_rule ENTD0320 LOW Installation of operating systems on systems and devices in the test and development environment must be logically separated to prohibit access to any operational network. Systems are most vulnerable to attack during the installation of an operating system because no security controls have been put in place to protect the system. It is very important to block all access to a system while the operating system is being insta
    SV-51539r1_rule ENTD0330 MEDIUM Virtual machines used for application development and testing must not share the same physical host with DoD operational virtual machines. Attacks on virtual machines from other VMs through denial of service and other attacks potentially stealing sensitive data such as source code used in application development. It is imperative to keep DoD operational virtual machines on physically separa
    SV-54070r1_rule ENTD0360 MEDIUM Data used for testing and development must be downloaded through a secure connection to an IA-compliant system for vulnerability scanning prior to deployment in the test and development environment. It is mandatory that data from an untrusted network or website that is to be used in a testing and development environment be downloaded through a secure perimeter. Bringing data directly from an untrusted network or downloaded from a personal computer o
    SV-56070r1_rule ENTD0370 MEDIUM The organization must create a policy and procedures document for proper handling and transport of data entering (physically or electronically) the test and development environment. Without policies and procedures in place, the organization will not have the authority to hold personnel accountable for improperly handling or transporting data into the test and development environment. The documents need to include guidance for both ph